A hacker known by the alias EncryptHub (also known as LARVA-208 and Water Gamayun) compromised the early access game Chemia on Steam to distribute an infostealer among users.
Chemia is a survival crafting game currently being developed by Aether Forge Studios. The game is available in early access, and the date for its full release has not yet been announced.
Researchers from Prodaft discovered that the compromise of Chemia occurred on July 22, 2025, when EncryptHub added the HijackLoader malware (CVKRUTNP.exe) to the game files. This malware persists on the victim’s machine and downloads the Vidar infostealer (v9d9d.exe). According to experts, the malware retrieves the address of the command server via a Telegram channel.
Three hours after the first malware was added to Chemia, a DLL file (cclib.dll) containing the second malicious program, Fickle Stealer, was injected. This file uses PowerShell (worker.ps1) to retrieve the main payload from the site soft-gets[.]com.
The Fickle stealer captures data stored in victims’ browsers, including credentials, autofill information, cookies, and cryptocurrency wallet data.
“The compromised executable file appears legitimate to users downloading it from Steam, which adds an element of social engineering to the attack that relies on trust in the platform rather than traditional methods of deception,” say Prodaft. “When users click on the Playtest of this game, found among other free games, they are actually downloading malware.”
Experts remind us that last year EncryptHub used this same malware in a large-scale phishing campaign involving social engineering, which resulted in the hacking of over 600 organizations worldwide.
Prodaft emphasizes that the malware operates in the background and does not affect the game’s performance, so Chemia users might not even suspect a compromise. At the time of writing, the game was still available on Steam.
At the moment, it remains unclear how exactly EncryptHub managed to inject malicious files into Chemia. One theory suggests that an insider may have assisted him. The game developers have not yet made any official statements on their Steam page or social media platforms.
This is already the third case this year involving the discovery of malware on Steam. Earlier this year, malicious games Sniper: Phantom’s Resolution and PirateFi were removed from the platform. Just like Chemia, these games were in early access.
It is worth noting that in the spring of 2025, experts from the Swedish cybersecurity company Outpost24 KrakenLabs published a comprehensive report focused on the figure of EncryptHub. At that time, analysts concluded that he is both a cybercriminal and a bug hunter. The fact is that EncryptHub not only engages in hacking activities but also works as a freelance developer, and recently went as far as responsibly notifying Microsoft about two zero-day vulnerabilities in Windows.
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →